That's quite possible, I'm not super into the modding scene. I guess my default assumption is that mods should be running through some sort of scripting interface that doesn't have access to things like the filesystem.
When developers add an official modding interface, then it usually works the way you've suggested. They get access to much of the internal API and a sandboxed environment.
Many mods though, work by just subverting the game by replacing components with custom-made ones. This allows substantially more customization.
In Minecraft, both types exist. The first type are called "data packs" or "resource packs" and would not be subject to this attack. The latter type involves swapping in new .jar files and running them directly, which is unsupported by the developer and gives basically unrestricted access.
This might be a bit nitpicky but resource packs just replace assets without scripting capabilities, and datapacks do let you run commands which are Turing-complete but they aren’t really a great programming language because you can’t do things like loops in a normal way